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This invention relates to methods and systems 
for converting a first key value of a first communlcaiions 
system to a second key va^@ of a second comm uniea- $ 
f ions system. 

'[(mil FIO: 1 depicts a schematic diagram of first ana 
second wireless communications systems which provide 
vy^reless commyrifeattes service to wireless units {e.g., 
wireless units 1'25M?) that am situated within the geo~ 
gmphio regions 1 4and 1 6, respe^ive^. A Mobile Switch- 
ing Center (e.g. MSGs BO and 24} is responsib^ lor< 
among other things, establishing; and maintaining calls 
between the wireless units, calls between a wireless unit 
and a wireline unit (e.g. . wireline: unit 25), and/or connec- ?s 
tions between a wireless unit and a packet data network 
(PON), such as the internet. As such, Ih&MSG Intercom 
neets the wireless units within its geographic region with 
a public switched telephone network (PSTN) 28 and^or 
a packet data network (PDN) 89, The geographic area $P 
serviced by th e MSG is d iv ided into spatially distinct areas 
called '-eelis, 0 As depicted m FsO. i , each cell is sehe- 
maticaiiy represented by one hexagon in a honeycomb 
pattern; in practice, however, each cett has an irregular 
shape that depends on the topography of theterminsur- 
rounding the cell. 

Typiea^y. each cefi contains a base station (e ; 
base stations 22a~e and 26a-e) v which comprises the ra- 
dios and antennas that the base station uses to commu- 
nicate with the wireless units in mat ceil. The base sta- w 
tions also comprise the transmisston equipment that the 
base station uses to communicate with the MSG in the 
geographic area, For example, MSG 2D i;s connected to 
the base stations 22a-e in the geographic area 14, and 
an MSG 24 is connected to the base stations 26a-e In ^ 
the geographic region 18, Within a geographic region, 
the MSC switches calls between base stations in real 
time as the wireless unit moves between ceils, referred 
to as call handqfJ;: Depending on the embodiment, a base 
staaon controller (BSC) can he a separate base station 4<? 
controller (BSC) (not shown) connected to several base 
stations or located at eaoh base station which admihis^ 
ters the radio resources for the base stations and relays 
inform atioo to the MSG, 

pMJ The MSCs 20 and 2:4 use a signaling network 
32, such as a signaling network conforming to the stand- 
ard identified as TWBMUD entitled 'Cellular Rad)\> 
l^lscornmonications Jntersystem Operations ■■ * Decem- 
ber YM7 {"\ $-41 '% which enab les the exchange ot infor- 
mation about the wireless units which, are roaming within 
the respective geograph ic ar easi 4 and 1§. Fore^arnpie. 
a wireless umt t 2a is roam ins when the wireless un it tSa 
f eaves the geographic area 14 of the MSG 20 to which 
ft was ohglna^y assigned (e.g. home MSC). To ensure 
that a roaming wireless unit can receive a can. the mam- 
Ing wireless unit T2a registers with the 24 in which 
it presently resides (e,g.. she visitor MSC) by notifying 
the visitor MSG 24 of its presence. Once a roam ing Wire- 



less unit 12a dentil led by a visitor MSG 24> the visitor 
USC 24 sends a registration request to the home MSG:' 
20 over the signal ing network 32, andlhe home MSC 20 
updates a database 34, referred to as the home location 
register (BLR), wish the identification of the visitor MSC 
34/iherebv prov iding the location of the mam ing wireless 
unit 12a to the horne MSG 20. 

[£H5®5] After a roaming wireless unit is authentiicafed < 
the home MSG 20 provides to the visitor MSC 24 a cus- 
tomer profile which indicates the Matures available to the 
roaming wireless unit, such as call waiting, caller id, cali 
forwarding. three-way catting, and: internaiiooal dialing 
access, Upon receiving the customer profile, the visitor 
MSC 24 updates a database 36, referred to as the visitor 
location register {VL£0 : . to provide the same features as 
the home MSC 20. The HLR> VLR and/or the autbehll- 
cation center (AC) can be co- located at the MSG or re* 
moteiy accessed, 

p»I if a wireless uM is roaming between wireless 
communications systems using different wireless corn- 
municalions standards, providing the wireless unit, with 
the same features and services in the different wireless 
communicates systems is complex if even feasible, 
there ar# currency different wireless communication 
standards utilised in the U.S., Europe, and Japan. The 
U.S. currency utilizes two major wire! ess communic% 
Mm systems with differing stodards> The first system 
is a tirne divis&h multiple access system (TDMA) and is 
governed by the standard known as IS^.t : 36:, the second 
systemts acoda divisionmuitipie access {CDMA) system 
governed by the standard known as IS-95. 80th commu- 
nication systems use the standard known as 3S-4 1 for 
inte? system. messaging:, which defines the authentication 
procedure. 

1^30?] In TDMA, users share a frequency band, each 
user's speech h stored, compressed and transmitted as 
a quick packet,: using contra time slots to distinguish 
them, hence the; phrase 'Time division 1 ' , At the receiver, 
the packet is decomp ressed^ In the iS-TSB protoco?, three 
users share a given carrier frequency. In contrast CDIVIA 
uses a unique code to ■spread" the signai across the 
wide area of the spectrum (hence the alternative name 
- spread spectrum), and the receiver uses the same code 
to recover the signet from the noise. A very rohust and 
secure channel can be established, even for an extreme- 
iy low-power signal. Further by using different codes, a 
number of different channels can simultaneously share 
the same carrier signal without tnterfenhg wfm eaph'-oi^ 
e.r, Both COMA and TDMA systems are defined for a 
Second Qeneratlon (2Q) and Third generation (3G) 
phases with differing requirements for user information 
privacy or contldentiailty, 

100003: Europe xMizm the Global System for Mobiles 
f QBM) network as defined by the European Teiecommu- 
nications Standard institute (ET'S;), QSU is a TDMA 
standard, with S users per carrier frequency. The speech 
is taken in 20 msec windows, whioh are sampsed, proc- 
essed, and compressed, GSM is transmitted: on a 900 
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1 .8 GHz (DCS 1 800} r pro VJding additional capacity, and 
is often viewed as Mom of a. personal communication 
system (PSsS) than a cellular system., in a similar way, 
•he U.S. has asso implemented DCS-TOCXJi Sfioifref QSU 
system operating on the different earner of 1 .8 GHz-.- Per- 
sonal- Digital Cellular (PDC) is the Japanese standard, 
previously known as JDO (Japanese Digital Cellular), 
PDC is a TOMA standard similar to the U.S. standard 
known as protocol,. 

t§0®§$ The GSM network litres a removable user 
identmcanon module (iHM) which is a credit card size 
card Whrco is owned by a subscriber, who slides the UIM 
into any &SM handset to transform it into °their ,> phonev 
is wii! ring when their unique phone number is dialed, calls 
made will be billed to their account; ail options and serv- 
ices connect: voice maii €ao be connected and so on. 
People wjth different UlUs can share one "physical 5 ' 
handset turn ing It into several ''virtual* banctseis,, one per 
U!M< Similar toihe U.S. systems, the GSM network also 
permits ■roaming \ by which different network operators 
agree to recognize (and accept) subscribers from other 
wireless communications ^ networks, as w*re^ 

less units {Or U?Ms) move. So, British subscribers can 
drive through France or Germany and use their 
wireless unit to make and receive cafe (on their same 
UK namcer),. with as much ease as an American busi- 
nessman can use a wire less unit in Boston. Miami, or 
Seettle, within any one of the U.S. wireless communica- 
tions system. The GSM system is defined as a Second 
Generation (20) system, 

®] The third generation (3G;> enhancement of the 
GSM security scheme is defined In the Universal Gobi's 
leiecommunlcations Service (UfviTS) set of standards, 
and specleasiy for the seeurily in the standard identif ied 
as 3<SFP TB-33;t02 ''Security Architecture* specifica- 
tions. This security scheme with slight venations win be 
used as a basis tor the worldwide common security 
scheme for all 3G communications Systems, including 
UMTS, TOMA. and CDMA, 

{001 1 1 The m GSM authentication scb em e is iiiijstrat> 
ed rn FIG . 2. This authentication scheme includes a home 
location register (BLR) 40, a visiting location register 
{VLR) 5& and a wireless unit or mobile terminal (MT) 80; 
which includes a U1M 62. When the mobile terminal 80 
places a call : a request is sent to the home location reg- 
ister 40. which generates an authentication vector AV. 
mo called "tnpJet K (RAND, SRES, K,.) from a root key 
K,, Toe triplet includes a random number BANE), a signed 
response SRES, and a session Key K^, Trie triple ris pro- 
vided to the visiting Socatsoo register 50, which passes 
me random number RAND to the mobile t8rrfiinat60; Tbe 
UfM 62 receives the random number BAND, and utilising 
the mot key K i3 the random number RAND, and an elgo- 
Mhm A3, calc uiates a si gned response SRES . The U j U 
82 aiso utilizes the root key K, and toe random number 
RA^D> and an algorithm AS to calculate the sessto key 
The SRES< calculated by the UM 62, is returned to 



the visiting foca&m register 5.4 which compares this vai- 
uefromthe SRES received frwrihsh^ 
Mm 40, in order to authenticate the subscriber d sing the 
mobile terminal SO. 

■ P 10012] In the £SM "challenge/response' 1 authentica- 
tion system, the visiting location register 50 newt re- 
ceives the root key K- being held by the UM 32 and the 
home location register 40. The VLR SO also does not 
need to know the authentication algorithms used &y tha 

io HLR 40 and Uty 62s Also, in the GSM authentication 
scheme, the triplet m ust be sent tor every phone call by 
the home location register m, ran 6 is 1 28 bits, $R8S 
is 32 bits, and K 0 is 64 bits, which Is 224 bits of data tor 
each request, which is a s^gnlf leant data load. The main 
focus of this description is the 64 Ms long K >: sasston 
ciphering key which is used for user joformation confi- 
dentiality. Wftm W\& mobile terminal mams i nto another 
serving: system while in the call, She session key % is 
tdrwarded trom tne old VLB to the new target serving 

*o system, 

$3813] FiS. 8 shows the UMTS security scheme which 
is ah entianoement to the 2Q GSM scheme. Simitar to 
the GSM scheme, when the mobife ter mm\ 90 places a 
call, a request is sent to the home location register 70, 

?s which sends an authentication vscTor-AV to the Visited 
location Register (VLR) 60 wh ich contains fi ve elements 
instead of the throe elements of a tnpiet. and therefore 
is called 'quintuplet-. This vector contains the 1SS W 
RAMO. the 64 bifs S^ES, the AU W value whicb carries 

w the aumsntieatiqn signature of the home network, and 
two session security keys; the bit ciphering key CK 
and the 1 28 bit integrity key iK. These tatter two keys, 
CK and IK, are the focus of this description, 
^001 4} The vector is prDvided to the visiting location 
register 80 ; which passes fhe random number Fl AMD and 
the AUTN to the mobile iermin a! ^D; Trie U iM 92 receives 
the random number RAND, and utili^fng the root, key i^. 
the random number BAND, and an defined algorithmic 
functions, yalidates the AUTN and: calculates a signed 

^ response SRBS, The U t M 92 also utilizes the mot key K f 
and the random number SAND and defined aigodthmic 
functions to caiouSate the session keys CK and IK. The 
SPSS, calculated by the U^M 92, is n>furne(i *o the vising 
location regisfer 80. whk:h compares this vate from the 

■'45- SHES received from the home location register 70 in or- 
der to aUt^enticafe the subscriber using the mobile ter- 
minal 90, A focus of th is description are the 1 28 bits long 
session ciphering key CM and 128 bits long session in* 
tegrity key IK which are used tor user information conf i * 

so deniiaiity and session integrHy protection. Once the sub- 
scriber is successfully authenticassci. the VLR ao v^cti- 
vates me CkandtK received in this authentication vector 
it tbe mobile terminal roams into anofher serving system 
wfnie on the call, the GK and \ K are sent to the new target 
serving system, 

fO&l 5$ Trie 2G IS-41 anthentication scheme, used in 
U S, TDJvIA and CDIvIA systems, is illustrated in FIG 4. 
This authenticatson scheme involves a home location 
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register (HLB) 1:00, a : Vising location register (VLB) HQ, 
and a mobite tamiinat {MX} 120, which can include aU IM 
1 22. The root key, known as the A_kay< is stored onlyin 
the. HL8 1 00 and the U!& 1 22. There is a secondary ksy, 
Known as Shared Secret Data S3D f which Is sent io the 
VLB 110 during rowing, $$Q is generated from the 
Ajfcey using a cryptographic aigotithit), The procedure 
for ^rteraiiing iha SSOis described elsewhere and is 
known to thosa skiiied hi the art, When the MT 1 20 ■roams 
to a vising network* the VLR 1 10 sends m authentica- 
te request to the HLB 1 0Q, wftich responds by serving 
that subscriber's SSD. Once the VLR 1 10 has the BSD. 
it can authehtete the 1 20 independently of the HLB 
100, or with the assistance of the HlR 1 00 as is known 
to those skjHod in the art. The VLR 1 10 sends a random 
number RAND to mo UM 122 via the m 128, and the 
UIM 122 oaiculatos Iho autne!itieat!Of) response (AU- 
Tnm using RAND and stored value of SSD in U*M : 
122. authr is returned to the VLR i 1 0 ; which checks 
it against the value of AUTHB that it has fodependenity 
calculated in *fte same mamw, It the two AUTHR va-ues 
match, the MT t2Gis declared vaiiei . This process repeats 
when the wireless unit .attempts to access the system, 
for instance, to Initiate a Pail, or to answer a page when 
the cali is received. 

in- these cases, the session security Keys are 
also generated To g ene rate; session security Keys, the 
internal staie of the computation algorithm is preserved 
a&er the authentieatian calculation; Several session se- 
curity keys are men calculated by the UIM 122 and the 
VLR 110 using the current vakre of SSD, Specifieaily . the 
520 hits Voice Privacy Mask (VPM) is computed, which 
is used fof conoeaiing the TDfoiA speech data throughout 
thecal. This VPM is derived at the beginning of the call 
byth eUi M and VLR. and. if the mobte foams into another 
serving system during the call, the VPM is sent to the 
new serving system by tne VLR. vVhen the call is con- 
cluded; the VPty is erased by both the UiJv3 and the serv- 
ing VLR. Likewise, the 64 bits Signaling Message En- 
cryption Key (S^BKSY) is computed; which is used for 
encrypting tha TQM& signaling information throughout 
the ca.IL This SMEKEY is derived at the beginning of the 
call oy the Ui&i and VLR, and, if the mobile roams into 
another serving systarh during the call, the SMEKEY is 
sen! to the new serving system by the VLR When the 
cali is concluded, the SME KEY is a? ased hy both the UM 
and the serving VLR. 

[0017] The 2G OpyA scheme uses a similar mamod 
of key distribution, except, instead of the 520 hits VPM. 
it es using the 42 least Sfgnfficant Brts (LSBJ of the VPM 
as a seed into the Privafa Long Code Mask (PtCU). This 
PLC&! is use4 as an additional scrambling mask for the 
information befo re its spre ading. The 42~bi? PLCM is con- 
sistent throughout the calj and :s sent to the new serving 
system by the VLB if ihe mobile roams into another serv^ 
ing system . The SMEKEY is used in the same way as in 
the TDMA based scheme., 

E^Q1 The SS4i 30 security scheme uses the UMTS 



security .schsme< which is based on the deftvery of the 
1 28-bits ciphering : key OK and 1 28>bits integrity key \K 
to the visited system VLB, whiieihe same keys are com- 
puted by the UIM, 

s [00131 Key conversions as a wireless Unit roams be- 
tween oornmunications systems should be performed in 
a way that even if lower security oi 2Q schemes and 
algorithms is compromised and partial keys are recov- 
ered by the intruder, the session keys would sisiii main- 

1$ tain the same level of security. Such conversions will ai- 
fow a subscriber to "roam g^oba^y" maintaining me se- 
cufity of eommnrslcaiions data and integrity of communi- 
cations sessior>. 

Itm®} MEHEmS: A Hand^boK of applied cry^Jtogr^ 
w phy' 1 mr. Om PRESS LLC. US XPOOSI 91 21 3 teacnas 

that a key-encrypting key K may be modified in a peruse 

basis by a counter ;n particuiar, the key-encrypting K 

may be modified by the counter N by performinrj K ^ N. 

{.002.13 According to one aspect of this invention there 
z< { is pr ov bed a method as claimed in ciaim 1 . 

According to another aspeci of this invention 

there is provided a Key Gonyersion sys^rn as claimed iin 

claim 9. 

The present invention is a key conversion sys- 

25 Jem for detenn-intaticai^y and reversib^y converting a first 
key value oi ; a first common ications system into a second 
key value of: a second ciDrnmunication system, f or ex- 
ampie, the key conversion system generates a tirsi in- 
termediate value from at least a pottion of the first key 

w value using a fet random function. At least a potion of 
the first: intermediaie value is provided to a second ran- 
dom function to produce a second value. An exciusive>or 
is peiiprrnad on at least a portion of the first key value 
and at Jeast a portion of the second vaiue to generate a 

35' second intermediate value. At leaat a portion of the sec- 
ond inter mediate val ue is provided tea third random func- 
tion to produce a third vaiue. By pe Conning an exeiu- 
sive-or on at least a portion of the third vatue and at least 
a portion of the first intermediate vafua, me key conver- 

40 sibn system produces atlaaSft a 1 irst porhon of the second 
key value . and at least a second: portion of the seco nd 
key value is produced as the second intermediate value. 
The key conversion system is deterministic in that, glvan 
a first key value, a wireless unit and the wireless com- 

^ munications systam will def arm ine the same sacond Key 
va3ue without reo;oiring an exchange of information. 
[08243 The key conversion system is reversible or 
bi-directional Mha% it the wireless unit is frmzm off Pack 
to the first communioations system, the second; key vaiue 

W of the second communications system is converted back 
to the first key value of the first communications system. 
For example f ha key conversion system prov ides the at 
Joast second portion of the second key value to the third 
random: function to produce the third value. The first in- 
- .•termec^ats: value- pneiraled : by :pe^omi.bg m 
sive-or on the first portion of the second key vaiue and 
the fed value. Using ths second rardom function, me 
key conversion system generates the second vaiue from 
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the first h$mm4M$ value and prmuces at least a poh- 
t\m of the first key by performing m axoiusive-or on the 
second value and foe second portion of the second key 
vaiue^ The key conversion system provides improved se- 
curity because even if almost all of the second! k^ yafue 
is known, the first Key va(u.e earmcieaslry he recovered. 
Similarly, if almost ail of me first Key value ® known, the 
second key veJae is apt easily recovered. 

brief pgs ^BjFTO^ m rm mm^mm 

Other aspects and advantages of the present 
Invention may become apparent upon readme; the follow- 
ing detailed description and upon reference to the draw- 
ings in which; 

"RQ> i shows a aehersi dla^r am of wireless commu~ 
mcations systems for which a Key con version system 
embodying the present invention can be used: 
R0. 2 is a block diagram iiiusti^ting the ^asic ciom^ 
ponents of the prior art 20 otohal system for mobiles 
(GSM) network and security messages transmuted 
in the GSM network; 

RG. 3 ts a block diagram ^ostratihg the basic com- 
ponents of the prior art 3G UMTS network and mes- 
sages transmitted in the 3G UMTS network; 
FiO. 4 is a block diagram iifogtratins the basic com- 
ponents of the prior erf 2G 1$-41 network and mesv 
sages transmitted in the prior art 2G network; 
FIG. 5 is a block diagram iiiustrating hew a user 
roams from a 2Q TDM A network imo a generic 30 
network; 

FIG 6 is a block diagram illustrating how a user 
roams from a gen ehc 30 network into a 20 TDM A 
network; 

FIG. 7 is a block diagram illustrating how a user 
roams from a 2G G0IV1A. network into a generic 3G 
network; 

FIG. 8 is a block diagram; illustrating how a user 
roams from a generic m network into a 2Q CDMA 
network; 

FliG. 9 is a bidck diagram illustrating hew a user 
roams from a 2Q GS*v? network into a generic 3G 
network; 

FIG. TO is a biock diagram iHtistrating: how a user 
roams from a generic 3Q network into a 2<S GSM 
network; 

Fi<3> 1:1 is a flow diagram of ah embedment of the 
forward conversion for the key conversion system; 
and 

FIG, 12 Is a flow diagram of an embodiment of the 
reverse conversion for the key conversion system, 

An i^ustrative embodiment of the key conver- 
sion system is described beiovv which provides an in> 
proved itey conversion for a wireless unit which roams 



between first and second wireless communications sysr 
terns.. The key conversion system deter ministically and 
raversiblv converts m m bit key value of a lirat commu- 
nications system into an n-btt key value of a second com- 

$ munication system, sn certajhembodimants, the key con- 
version system use three random functions f, g and h 
where random functions f and g map m m bit input siring 
into ah rwn bit string resembling a random number; and 
the random function h maps m mm bit string into ah m 
bit string resembling a random h umber. A random tu no- 
tion maps inpiifs to outputs such that the outputs are 
unpredictable and random looking given the input, the 
embodiments described below, the random functions are 
random oracles where everyftme an mp^Us given it maps 

f$ to th<e same output. Additional^ in the embodiments de~ 
sohoed foeiow, the random functions are pubt&iy known. 
For esampia, the random lunetjons are Known by the 
wireless communicatibnaaystem(s} invoked in the inter- 
system handotf and the wire less unit 
[0027} The key conversion system is deterministic in 
that given an m~brt key V3jue> a, wireless unit and the 
wireless comniunidationa system will determine the 
same mbit key value without requiring an exchange of 
intormation. The key conversion system is revereibie oh 

& Di-direetsonai in that, li the wireless unit is handed off back 
to the first communications system, the; n bit Key of the 
second commu nications system i s converted back to the 
m-bii key of the iirst communications system. The key 
conversion system provides improved security because 

30 even if almost ail of the n bit key value is known ■ the: m 
Ml key value cannot easily be recovered, $*m *ariy, it* 
most ail or the m oil Key value is known, the n hit key 
value is not easily recovered. 
immi Dependin g on the embodiment^ the key conver- 
sbn system can provide secure, deterministic and bi-dl> 
rectiohai key conversion when a wireless unit roam s be- 
tween two wireless communications system, such as bs- 
Iween an older communications system and a newer 
Gommunieates system. For example where the same 

*o reference ni^merais indicate like components, the iS-41 
30 security scheme of FtG. 5 conveds. at the VLB 80 
anrJ at the wireless mil 120 (or 122), i\he 520- bits VPM 
jh combihatlon with tha 64 -bits S^tEKEY received from 
the VLB 1 10 to the 128-bit CK and/or tgfhbft IK when 

45 the wireless un?t roams into the 3G system from the 2G 
TDMA system, Gdnversefy< as shown m FIG, 6, the IS - 
41 30 security scheme converts, at the VLR m and the 
wireless unit 90 (or S.$Uhe l^bit OK and/or the 1 mm 
tK to the 520-bits V^M in combination with the 64-btts 

5c S^£KEY when ma wireless un{t roems irvto the 28 TD^Ai 
system from the 30 system. The VLB 80 provides the 
\/pM and the SMEKEY to the VLR 110. 
^m^l As shown in FiQ, 7, iS-4i $3 aecur jty scheme 
converts, at the VLR 80 and etHie wiretess unit 1 20 (or 
122), the PLC^l in combination with the 64-hits 
syEKEV received from the VLB 110 to the CK 
and/or the i SB-hit ik when the wireiesa unit ro^ms into 
the 3G system fmm the 2G CDMA syatsm, Oonvarseiy, 
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as shown ift 8> SNe i&-41 security schema con- 
verts* tt.$e VLB S$ at ih& wireless unit 90 (or 92Jv 
m 12$-bit CK and 128-blt IK to the 42-bits FLGM in 
combination wrtft the 64-bits EKEY when the mobile 
tp&m Mo the 2G CDMA system from the 30 system . 
The Mm 80 provides the PWMmdmSMEXmmm 
VLR 110. 

C*30| As shown in FIG. 9. the UMTS 3G security 
scheme converts, at the VLR SO and at the wireless unit 
80 {or 62), the 64-bit %mc§?ved frorn the- VU3 50totft& 
1 28 bit CK and'or the 1 2S-D it I K when the wireless Urtii 
roams into me 30 UMTS system km tfmSSS <SSM 
temTOonyerseiy, as shown in FIG. 10. the UMTS 3Q 
security system convert^ at the VLR 80 and at ttie wire- 
less unit 90iot &%th$ 128«CK and/br the 1£&b&M 
to the 64 -bit % when the wireless tmit roams into the 
>3$y system from the 3G UMTS system. The VLR SO 
provides the K c to the VLR 60. 
£083tf Accordingly, in certain emoodiments.aw^^^s 
unit that supports enhanced subscriber authentication 
(ESA) and snhancsd subscriber privacy (ESP) in a first 
communications system, such as a newer 3G communi- 
cations system, may implement multiple privacy modes 
to enable the m reiess unit to prov^e privacy u^ing older 
algorithms in a second cbmm unicafions system, such as 
an older 20 TDMA communications system. Such a wife- 
jess nnit can provide other forms of privacy after inters 
system hancloij to an MSG for an older second commu - 
nications system that does not sopped £$R VVh^n hand- 
off io the older seconei Gommunications system is re- 
quired, the key conversion system can convert the key 
values for the newer first communications system to the 
privacy keys needed lor the older privacy algorithms sup- 
ported: by the older second communications system , The 
keys for the second; communications system can be sent 
to the target M SO of the second com man iosittens system 
from the MSC of the first communications system Since: 
the key conversion system is deterministic, the wireless 
un it wi ll also have the keys tor the second com man ica- 
3l!ons system by performing the same conversion as the 
first common lest ion sysiern us?nrj the key conversion 
system of the present invention . 
The key c^^ 

afirst system into a Key(s) of a second system end back 
again- For example, when performing an intersystem 
handoff between a 3G communfcatbns sy stem and a 20 
JfMA system, the key conversion system can map a 
cipher key CK Mo a VP^ASK/SM^KEY {VS} pair, in this 
embodiment, the key con vers ion function possesses the 
following properties; i) A 12$ pit OK is mappeo' into a 
584 bit VS; 2} The function is reversible and maps back 
a 584 bit VS into & 128 bit CK; and 3) The function is 
secure in the sense that partial knowledge of the 504 bit 
key will not allow the adversary to recover the CK. hor 
will partial knowledge of 128 bit key CK allow the adver- 
sary to recover the 584 bit VS.. In certain instances, for 
example when thecal origmates in a first communication 
system having a larger key value than the target secondi 



communications system^ the conversion system maps 
me key value of ^ 

value ofa second eamro^ if 
the wiretess unit returns to the first communicatfons sys- 

■? tern, the key conversion system maps the second key 
value io a subseguent key value tor Iba ftrsTeommuni- 
cations system which not necessar ity 1 he same as the 
original key value. Subsequent handoffs baok to the first 
oommuhjcations system from the second communica- 

■M. -ions system produce a key value which is the same as 
the subsequent key value, 

[0033] For example, when performing an intersystem 
handoff for a calt originating with a.2G TD-ViA system to 
a 3G system s the key conversion system can map VP- 

?*■ MASK/SMEKEY *VSJ pair into a cipher key Cft in thfe 
embodiment, the key con version function maps the 584 
bit VS into the 128 bit CK t? the wireless unit is handed 
back to the 2G TD MA system, the conversion system 
maps back the 1 23 bit CK into the 584 bit VS V but the 

53 new 504 bit VS may not be the same as the ongi nai 584 
bit VS Subsequent handoffs to the 2G TDMA system 
fr^rn ti-ie 3G system :WM maintain me new 584 M VS; 
Although this should not effectThe security or operation 
of the wireless unit, the 1 28 bit CK is maintained the same 

^ ail along m this embodiment. 

[0^34] in this embodiment the key con version system 
includes conversion lunoiibns available at the MSC tn 
the Cs-ewer system and -at the wireless unii which w$ cori- 
vert key venues, for a first con^muriications system, such 

30 as ES P keys : into key values of a second communica- 
tions system, such as keys used for older privacy algo- 
rithms. In this example ; the conversion function should 
convert the 13 bit CK key in the new :fimt communication 
system to VPIM^K/SlvlEKEY (VS) keys tor the older 
second communication system. VFMASK is composed 
of 260 bits mask lor each direction and SJvtEKEY m 84 
bits long, for a total of 584 bits to be used by the older 
communication system. In case of an Intersysfem hand- 
off from: the old communication sysiem to tine new com- 

4Q municatlon system r it may be useful for the conversion 
t unction: to be reversibie. The old comm unication system 
does not know aboutthe new communication system and 
wilt transfer as ! 5S4 bits to the new communicetioh sys- 
tem. T he new eommunicetioh system upon receiving the 

*s 584 bit key will realise that it needs to recover the 128 
bit QK and hence wilf compute the €r\ #om the 584 bit 
key, 

[0QS§3 The VS keys created at the wireless unit and 
the MSG should be the same. This means the calculation 

5# of the VS keys must be based solely on CK and any other 
quantities known by both: tbe MSC and the wireless unit. 
Otherwise, any new quantities (ag. random number) 
woUd have to be exchanged between the wiretess unit 
and th e MSG prior to the conve rsion, Ths key conversion 

m system does not require the exchange of information be- 
tween the wireless unitahd the new MSQ and determin- 
isttcaf fy maps a CK to VS keys and VS keys to a QK key . 
Addlttonaiiy^ weaknesses: in the old commons 
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cations system should not maM Ihs new communica- 
tions; system weak One em achieve this fey making the 
key conversion function cryptographfeaf^ or>e way, so 
that even If the emire key of the old communication sys- 
lem, such as the VS. key in this example, is revved, the 
adversary cannot recover the key of the hew communi- 
cation system, su$h asitteCK' Key in th& exarnple> How- 
ever, tnis wHl make the system norv reversible and ; as 
prev iousiy noted, the key conversion system should be 
reversible. Nevertheless, the key conversion system can 
be reversible and $ti!l provide almost aft of the security 
of a norvraverstoJe function , The security of the key con- 
version system in this example prevents an adversary 
frorn recovering any pan of the OK key even itaimost aii 
of the VS key is revealed except a small part. The adver- 
sary can guess She srnaSt pari feet he should not be able 
to do any belter. This aspect is important because parts 
of W^ASK may be somewhat easy to recover and the 
entire VPM ASK may foe easier to recover than the SME- 
KEV. Yel if some part of the old system is herd iO recover 
than the adversary will not know anything about CK. A 
similar security can apply to CK so mat a partial ^owl- 
edge of CK should not tell the adversary anyming about 
VS. 

P>37] In certain embodiments, the conversion func- 
tion has two modes, the forward con version end the re- 
verse conversion , in. the exampte of reeming fern the 3<S 
communications system to the 2G TQUk communica- 
tions systero> the forward conversion takes the 12S bit 
randomly created CK key and expands it to S 84 hit V3 
Key, The reverse conversion function lakes me 564 bit 
VS keys and maps it to a 12S bit CK key. in this embod- 
iment, the forward conversion function is composed of 3 
random functions f , g and h which map a given input into 
a random output. [n mis embodiment, these are not secret 
Melons but public random idnoiions known to every- 
body . including the adversary .Tt^ese public random tunc- 
lions are referred to as random oracles in the literature. 
These random oracles can be implemented using hash 
tunctions and block ciphers as described besom In this 
exam pie, the three random junctions are f, g, ft where f 
and 0 rnap a t2S bit input into a 456 bit random value : 
and h maps a 456 bit input into a T2S bit random value, 
fO$S$J RG 1 1 shows a flow diagram of an em bodh 
merit of the forward conversion of ts*ie key conversion 
system for converting an rn-bif key value a! a first 
communications system Into an n-bit: key value KEYS of 
a second oommunteations system, Ttie m bit KEY1 is 
pr dvided to a random function f (block 200) whseh maps 
an m-M string into an n-m bit random number or first 
intermediate value R In the example of roaming from the 
3G coram unioat ions system to the 20 TDMA communi- 
cations system, the conversion system converts a 128 
bit key OK Into a 584 bit key {VPMASK, SMEKEY). The 
128 bit key CK is provided to the random function f {200): 
which maps the 128 bit 'CK; into a 456 bit random number 
or first intermediate value R> The intermediate value R 
is provided to a random function h {block 210} which 



maps an i> m bit string into m m bit random number. Tfta, 
m-bit output of the function h {210} i$ subject to an 'm- 
ciusive-or (XQR 220) with the m bit KEY1 to produce an 
n>bit second intermediate value T, in the example of 

?: roaming from the 3<5 coi^muhications system to the 28; 
TQM Acommunioations system, the 458 bit in terroeelate 
value Ris provided to te function h (21 0). The function 
h (21 0} maps the 456 bit value ft to a 128 bit random 
number which is XORed with the 128 bit CK to produce 

«*■ a 128 bitseconq intermedial value T, 

|CKS3il in the embodiment ot RG. i t , the n>bif inter- 
mediate value: T is provided to a random function g (block 
230), The random function 5 (biocR 230} mans an m bit 
string to an n-rn bit random n umber which is subject to 
en exclusive -or (XQR 240) with the n-m bit infermed late 
vaiue B to produce an n-m bit key value V which can be 
used as a Key, keys or portion (a) of key(s). in this em- 
bodiment, the value V is a portion of the value KEY2 
which can be used as a key. Keys or portion^} of keyfs). 

^ In this embodiment, the n bit key KEV^ inciudes the n-m 
bit value V aiong with the m bit second interrnediafe va3ue 
T P in the example of. roaming from the 30 oommunicaT 
tions system to the 20 TDWA communications system, 
the ranc^+m function g (230) map the 1 28 bit intennedi - 

£5 ate vaiue f iritd a 45g bit random number which is subject 
to the exclusive-or {XOR 240} with the 456 bit interme- 
diate vate T to produce the 456 pit key value V. The 456 
bit vaiue V and the 1 28 bit intermediste value T form the 
W4 ■ i^jEt;- key y^iue • wh^h : In this example can be 
■-30 divided into the VPMASK and the SMEKtey for T $M& 
syg-ems. 

[u\34Dj The forward conversion of the CK of the 3<S 
eystem to the VPMASK and SI^EKEY ot the 2G TDivtA 
system can be written according to the foilowfng, steps, 

^5 

1 , H f{CK) / ,s create a 456 bit vakje from 128 bit CK 
by applying; f */ 

2 T - h(B) XOftCKr create a 128 bit value using h */■■ 
3. V -g(T) X OR R/* create a 458 biivalue using g V 
^ 4 Output TV r the 5B4 M value 7 

|004t| FiG, 12 shows a flow diagram of an ernbodi" 
rnent pi the reverse conversion of the key conversion 
system for converting the n-bit key vaiue K£Y2 of the 

45 second communications system back into the m~bit key 
vaiue KEVT of tt^e first communications sysfem In this 
embodiment, the n bii key value KEYS Is divided into an 
n-m bit tirstportion or value Vend an m-bit second portion 
or value T. "The m-bit value J is provided to the random 

$0 function g (block 250) which maps an m-bit string into ain 
n-m bit random number . The n-m bit random number is 
subjected to an exciuaive-or 280) with the n-m bit 
key value Vio produce the n^m bit first intermediate value 
R, in the example where the wireless unit roams back to 

£5 the 2G TDM Asystem from the 3G system, the conversion 
system converts the 584 bit key (VpJvtASK, SMEKEV) 
ihid a 128 bit key OK. The 1 28 bit key value porfiori T is 
provided to *he random function g (250) wfiich maps the 
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1 28 bit T into a 458 bit random number. The 456 bit: ran- 
dom number exciusjve-ORed (XOR 260) with the 456 bit 
key value V to produce the 458 bit first intermedial value 

|O04gj In the embodiment of RO. 12 > ttie n-m fest first 
i^rfftedM^ vaiue B & provided to a random function h 
(block 270}. The random fixation h (block 270) maps an 
n-m bti siring to an rn bit fandom num;ber whiohis sybject 
to an exciusive-or^XCP 280} wilh tie m bit key value T 
to produce an m hit key vate KEYi which can be used 
as a key, keys or pbriionfs} of key(s). in the example 
where the wireless un$ roams back lo the 2GTDMA sys- 
tem from the 3& $yssem< the random function h (270) 
maps the 458 bi r intermediale value B jnto a 128 bit ran- 
dorn number wh *ch is subject to an exciusive-or (XOR 
280} with the 128 bit Key value T ie produce the 1 28 bit 
key CK. 

pM3J The reverse conversion of ths VPMASK and 
sSMEKEY of the 2G TDMA system to the OK of the 3G 
system can be written according to fhe fo slowing steps, 

1 . Set T,V to 584 bit input /* T is 128 bit part... V : & 
458 bit pari V 

2, B - g(T) XOR V /* create 4S8 bit value R using 7, 

V7 "■' 

aCK - b(R) XCRT 

10044 j the random functions f, g arid ft can be imple- 
mented using hash functions and/or block ciphers, To 
Implement the random functions I. g< and h. which can 
be referred to as random oracles, cyptographic hash 
functions, sucb as ihe functions known as known as SB A* 
1, MDS, RIPE* MD< can be used to instantiate the random 
Junctions f f g> u. A hash function can be typically charac- 
terised as a function which maps inputs of one length to 
outputs of another* and given an output, ii is not feasible 
to determine the inpur that w& map to the: given output. 
Moreover, fi ts not feasible to find two inputs which will 
map to the same output. In using a. SN A- 1 bash I uhctiom 
each call to the SBA-1 hash function has a 1 60 bit tnllial 
vector {TV) and takes a 5 12 bit input or payldad which is 
mapped into a 160 bit output. The IV is set to the W 
defined in the standard for SHA- 1 hash function. The 
payload wlll contain various input arguments: SHA|Xype ( 
Count, Input, Pad) where Type is a byte value which de^ 
lines the various functions f , g> h. Function f and g wni 
call SHA multiple tirnes> and Count is a byte value which 
differentiates the multiple calls, input is the input argu- 
ment to the functions h q, or h. Pad is zeroes to fill the 
remaining hit positions in the 512 bit SHA payload. Below 
is an example procedure for implementing the random 
iuncifoo f, g and h using a hast) function routine referred 
to as SHA, 

SH A(type y DOu O^iF^pot ,pad} 
f{CK): SHA{i. 1, OK, pad) 
SHA{1,2, CK t pad) 
8HA{ 1 >: 3, OK y pad} mod 2*136 



h(R>: SHA(£ f i< B> pad) mod 2*1M 
g(T): $HA<3, VT, pad) 
SHA{3v 2 f T, pad} 
SM*.& 3., T { pad} motf 2*136 
t Block ciphers, tike AES, can be used to create func- 
tions ng, and h. 

t(CK)' £ CK ( !}; B CK {2}; Ec K (3}: £^(4) mod 3*72; 
h{R); XOR 5} XQR i^2XQB6) XOR ^ 

g{T); E T (e); EfCIO): %(i i) • Extig) mod £ A ?2; 

where in ^<JK),(3K-|#'U^^:S!&1^& : K»y jo the block cipher 
and 512 bit stream is produced by encrypting 1 ...4 in 

?5" counter mode ■., The last encryption is truncated from 1 28 
bit to 72 bit to get the needed 456 bits, In h{R} ; a public 
key K0 is used to encrypt the parts of 456 bit R and the 
resulting cipherfexts areexeiusive^orsd together, fti , R2> 
and R3 are 1 28 bit values and R4 is the Tem ain?n g 72: .bit: 

••■^T value of padded; with scroes to: oompiete 1 SS bits, 
[8048] Thus, the key conversion system pro vides hi-di- 
reciiona}, detsnministic and secure conversion of a key 
(s) or pbftion{s) thereof between first and second com- 
munications systems. The key conversion system is se- 

■ W- cure in the forward direction in that given most of the 
output KEY2 (for example. T<V}, an adversary cannot 
recover KEVl (forexarnpie, OKI In the example with the 
2G TDM A and 3G systems, if all of T and most V except 
say 84 bits are known, then parts ol Bcan be recovered. 

38- but not all a! R by caiculatin§ B = g^T) XOR V, An attempt 
can be made to recover some of CK by performing GK 
-h(R)XORT, However, since all of R is not known, even 
a bit of information about h(R) cannot be recovered, as- 
suming h is a random iunoilon. Hence no in[ormaf ion can 

:3'5 be recovered: aboiJt CK Si mi iarly.. if ail of V and: part of 
T are known, except say M bi ts of T, then no information 
about C& can be recovered. Since we do not know alt of: 
T f the intermediate value R cannot be caicuiajed using 
g(T) XOB V. Thus without the intermediate value R; no 

<0 progress can be made in recovering any info rmation 
about CK, 

|O046j Bimiiarly, the key conversion system is secure 
in the reverse direefjon in thai given most of the ouiput 
KEYi (for example, CK) ; an adversary cannot recover 

45: KEYS (for example, T« V), in ihe sxample wim the 2G 
TDi&A and 3G systems, if a part of CK is known, no ir> 
format ton about T.V can be recovered. Since we do not 
know altof OK< the intermediate value B cannot be oal- 
eulated using fpK). Thus without ins interm ediats value 

so R, no progress can be made in recoveriing any informa- 
tion about T.V. 

|O047j In addiljor? to the embodiment(sJ described 
above, the key conversion system can fee used which 
omit and/or add input parameters and/or random (une- 
55 tioos or other operations and/or use variations or persons 
of the described system, For exan^pie. the key conver- 
sion system has beep described as converting between 
n bit key of a first communication system and an m bit 
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key of a second communications system tsin'g random 
omcfes f ■> g and h where the random oracles f and 9 map 
an m bitstnng io a rwn bit random nuft&sr'att&iftg.ren" 
dom oracle h maps a n-ro faft string to an m bit random 
number, However,, dpersrtf random •IfcarietlonS' can be 
used as weil as different or additional f unctions which 
map x kit strings to y bit random numbers and/or map y 
bit strings to x bit random numbers wh ere * or y can be 
equal to mm or m, Additionally, the m pit Key va^ for 
the first communications system can be a key, keys or 
j^rtfortf §) thereof, and ihe h bit Key value lor the second 
communicates system can be a key ; keys orpofSon(s): 
thereof.. For example, ma example with me 2G TDMA 
and 30 systems, *hs conversion is between ihe 128 bit 
OK of the 38 system and the 564 b it Key value tor the 
EKEY and YPMA3K of tne 20 TDM A system, but: the 
conversion 00 ufd he bat wean a 25$ b?t key value of GK 
andK of tbe 3G system aMtne 584 bit key value for the 
SMEKEY and VFMASK of the 2G JQMA system . 
[0048] In the example dsecribsd above, a forward con- 
version is from the m bit key value of the first communi- 
cations system to the n bit key value of the second com- 
munications system where the ttratcornmunicalsons sys- 
fern bo responds to the new system and the second com- 
munications corresponds to the old system and where 
m<n. However, depending on the embodiment, the first 
communieattons system can be o-der, and the second 
com m un icaho ns sysie m is newer. Arfematiyejy, the for- 
ward conversion can be the conversion of the smaller 
size key Value of one communications system to the larg- 
er bit size key val ue of anothe r commun icatione $y$tem f 
and the reverse conversion is the conversjon of the Server 
bit size key value to me smaller size key value:. Depend- 
ing on the embodiment:, the conversion of different « Earg- 
er, smaiier arid/of the same si;re{s) of key vaiue(s) be- 
tween ihe different commuoieations . systems are : possH 
hie. 

[004S| Furthermore, the key conversion system can 
be used to handle the jotefsystem hand'offs described in 
the R&s 5- 10 to convert a key, keys or poftjon(s) thereof 
from one communications system to the key ; keys or por- 
tion(s) fnereot of another cdmmuntcetksns syatem. It 
should b& understood that different notatioos t references 
and charaoteraatlons ot the various values, inputs and 
architecture blocks can be used- For exaropjev the func- 
tionality described for the Key conversion system can be 
performed: "in a home authentication center, horns ioca- 
tion register (HLB), a home MSC y a visiting authentication 
center, a visitor location register {Vtl^and/orfn a v&ltinej 
MSG.. Moreover, the key conversioneystem and portions 
thereof can be performed in a wireless unit,, a base sta- 
tion, base station connote, USQ, VLB, HLR or other 
sub-system of the first and/dr second communicatione 
system . It should be understood that the system and por- 
tions thereof and of the desonbed arohltecture can be 
implemented m orlnte^rate^ vv^h processing circuit m 
the unit or at dlrterent locations of the communications 
system, or in application spsoific integrated circuits, soft- 



ware-driven processing circuitry de- 
vices, firmware,: hardware or other arrarigernen is of dis- 
crete components as would be understood by one of or- 
dinary skill in the art with the benefit of this disclosure. 

£ What- has been described is rnerety ifelraiiva of the ap- 
plioation of the principles of the present invention. Those 
skilled in the an wilt readily rsoognke thar these andvar- 
sous other modifications, arrangements and methods can 
be made to the present invention without strictly foiiowino; 

fp the exemplary applications illustrated and described 
herein and without: departing from the of the. 

present in vanta. 



*? Claim* 

1, A method orconvemng a M$X key vatue (key 1) for 
a first CQmrnuntcaSons system to a second key value 
(key 2}: of a .mmm. wtodnic^n^ systenri, sasd 

m method CHARACTERIZED BY: 

general in g a first ihtarmediate value (B) from at 
least a per tio n of said f irsi key value { key 1 ) using 
a first random function (f); 

25 providing at ieast a portion of said first interme- 

diate vaiue (R) to a second random function (h) 
to produce a second value; 
performing: an exotusive-or (220) on at least; a 
portion of said first key value (key 1) and at feast 

^ a pod?onof said second value to generate a sec- 

ond intermediate va^e(T) ; 
providing at Eeast a portion of said second inter- 
mediate vafue (T) to a third random function (9) 
to produce a th^rd value; and 

& producing at feast a first portion of said second 

key value (key 2} by performing ah exclusive-^ 
(240) on at least a portion of satd third value and 
at least a: portion qf said f irst intsrmed^at© vaiue 

m 

2, Tm rnmoti of Claim 1 CMA^^Ot^f^O BY: 

producing at least a portion of said second in- 
termediate value ft) as at feast a second portion 
^ of said second key value, {key 

3, im method of claim 1 CHARACTER^eD IN THAT 
said generating comprises the step of. 

providing said first key value {key 1 ) of m bits to 
a first random function (?) to produoe said first 
Intermediate value (R) of n-m bits. 

4, "Fbe method of claim 

■55 saidfirststepsofpfcyidingandpe^ormingcomphse' 

providing said n*m, M first intermediate vaiue 
(H) to a second random function {h} to produce 
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m m bit second value; and 
performing an exoJusfvs-'Of (220) on said m bft 
tjrs! key value {key 1} and said m bit second 
value to generate said second intermediate val- 
ue (T} wmm bits. 



$> The method of claim 4 CHARACTERISED ^ THAT 
said second step of providing and said step of pro- 
ducing comprise: 

providing said m bit second intermediate vaiue 
(T) to a trwd randam function (g) to produce a 
n-m M mm value;, and 

performing an exclusive or (24QJ on said n~m bft 
third value and said n~rn bit first intermediate val- 
ue (R) to generate an n-rrr Pit frst portion (V) of 
said second key value {key 2>. 

& The method of claim § CH^RACTER^E^ BY: 



to 



of said first key vaiue (key 1 ) and m (eastarpqr^ 
tion of sbM second value to generate a second 
intermediate value (T). to provide si feast .a por- 
tion of said second intermediate value JT) to a 
third random function :(g) to produce a third value 
and to produce at least, a first portion of said 
second key value (key 2) by subjeciing st ieasi 
a portion ol said third value to an exciusive-or 
(240) with at least a portion of said first Interme- 
diate value (Ft). 

Trie System of claim 9 OH &R&eTERS££D t N THAT 
said processing circuitry is confj^umd to pmduee ^i 
leas? a portion of said second intermediate value (T) 
as at leasia s&eond portion of said second Key value 
(key 2). 



providing said m bit second intermediate value 
(?) as m m pit second portion: of said .-second 
key value {key 2) having n bits. 

?, Tfe method of claim 2 CMARAOTCTZED aY the a* 



proved ing said second portion (T) of said second 
key value (key 2} to said ln?rd random function 
(g) to produce said tniret value: and 
generating: said first intermediate value (R) by. 
subjecting a first portion (V) of said second key 
value (key 2) to an exclusive-or (260) with said 
third value, 

35 

& The method of claim 7 further CHARACTERIZED 



using said second random function (ft) to gen- 
erate said second vaiue from said firs* interroe*- *g 
diaie value (R); and 

producing at least a portion of said first key by 
subjecting said second vaiue to an exclusive-or 
(280) with said second portion (?) of said second 
key yaiue (key £j ^ 

A key conversion system for converting a first key 
value (key 1} for a first communications system to a 
second key value (key 2} of a second communica- 
tions system said system CH ACT£8 BY: so 

processing circuitry adapted to generate a first 
intemn ediate value (R) from at ieasl a portion of 
said first key value (Key t J using a first random 
tootson (f ) ; to provide at least a portion of said ■©$ 
first intermediate value (R) to a second random 
iyndtjon to produce a second valued to per- 
form an exctusive^or (220) on at least a portion 



% Precede de eonversidri d'line premiere vaieur de cle 
tela 1} d'un premiSf systeme de communications en 
une deuxieme vaieur de da (cle 2} d'un deu*ieme 
syst&me de communications, ledit proeide etant 
QARACTERlSa PAS : 

f&generafJondwe premiere ^vafeur intermedial 
re (R) & part* d'su moms une padje de ladlte 
premiere valour de ere (cle 1) au rooyen d'une 
premiers fonction aieatolre (f) ; 
la lournrtuna <fm moln s une partie de lacllt e pre- 
miers vaieur Intermediate (R) a une dau^eme 
fouction aleatoire (h) afin de produce une 
deuxieme vaieur ; 

• execution d un ou sxclusif (220) sur au moins 
une partie de iadite premiere vaJeur de cle (cie 
1} et au moms une partie de iadite deuxieme 
vaieur afin de generer une deu^eme vaieur sji*, 
termed! aire (T) -j 

la fourniture d'au moins una partie de lad?te 
deuKleme va^ur intermediaire (T) a iim trojsie- 
me fonction alsatoire (g) afin de produke una 
rroisisme vaieur : at 

?a production d 5 au moins une premiere partie de 
Mite oieuxieme vaieur de cie (eie 2) en exeeu- 
tanlun ou eKclusif (24d) sur au molns une partie 
da iaditetmlsleme vaieur et au moins une partie 
de ladite premie re vaieur intermediai re ( R) . 

a. Precede selon ta reyendfeatw 1, CAH^TE^I^ 

la production d'au moins une partie de Jadlte 
deuKieme vaieur intermediajre (T) en tantqu'sir 
moms une deu juame partie de tadite aeuxieme 
valour de cle (de 2), 

3> Procede salon fa revendication 1 , ^A^^QTEBsM 
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EH CE (MM iadite 0ne ration comprand retape de : 

foumiture defa#s premiere vaieur de da (cie 
0 de m bits a una premier© function a^eatoire 
(f) aim de prbduire Iadite premiere wi&w later- s 
medial (H) dai>m bits. 



4> Precede salon la revindication 3 ; CARM£?£R^£ 
EN OS QUE iesdites pram jeres etapes de foumiture 
'el ^execution eomprannent : & 

la foumiture de Iadite pFemlefe va^eur interrne- 
■diake da n-m bits (R) & urie deuxieme fonction 
aiaatQire {n} aim de produce tine deuxieme va- 
ieur de m bits ; et 0 
I'exeeution d'un de excfusit sur Iadite pre- 
miers vaSeur de cie de m bits (de f) et iadrte 
deuxienie vaieur de mbife afin de g#nerer Ja^ite 
deuxieme vaieur intemiedfaire (T) avec rn. bits. 

5. Precede sefon ?a revindication 4 V 

QUE lad its deux;eme etape de tournftare at 
fadiia etape de production eonnprennent : 



$v Precede seioo ia revendjoation S« *5 
PAR : 

ia faijmitufede iadite deuKierna vaieur intarme- 
di&ire de m bits {T) an tant ^M^ dB^^erna partie 
de m bits de tadfta dsoxieme vaieur de de (de ^ 
2) ayantn bi?s : 

7. Precede seion ia revendicsta 2, C&SACTMSg 
MR las etapes da : 

4$ 

lourmture de Iadite deuxie ma padie (T) de iadite 
deu^ema vaieurdede (de 2) a ladHe troisieme 
rondioo aieaioim {g} afin de predulre Iadite frol- 
sierne vateor ?. at 

generation de Iadite premiere vaieur intenne- so 
dtaira (R}en soumadant une premiere partie {V} 
de ladfta da uxi^ma vaieur de de (de 2) a an du 
eselusif (280} avae fadiietroi^Bma vaieur. 

8> Froeede ^ m 
fut$satiQnd^ 



^afinde^rs^f lacJ?i© 3§u$§m& *$©yf &ps^ 
tirde ladlte premjete vaieur intermix aire (R) ;. at 
i&praduetion d'au rnojns wie.partle de : lsdfc:p?e- 
miara c3e en souroetfcant iadite deuxiama vaieur 
a un ou exeiusif (260} avee ladite deuxiema par- 
tie (T) ladi^e deu><iema vateur de cie (c!e 2). 

9, Systame de conversion de c^es pour cofwertlr um 
pfBmme valeur da cie (cle 1 ) d'un premier systeme 
de cemmgn icatiens en una deu&i&roe valeur de e ie 
{cle 2) d ; un deuxieme systeme de communications, 
sadil sys^me eian! a^ACreBlBg par ; 

4m clrcxi its de traitemant ad :^tes pour generer 
une premijera vaiear mtermediaire (R) a partir 
d'au mains una partie ds iadite pr amiira valaur 
da da icM 1 ) au moyen d'une premiereionctidn 
aieatoire if) af^n de foumir au mains une partie 
da iad^a prernlafa valeur intsrmed»9jre (R) a una 
deuxi&me fpnotion aieatoire (n) af in da prodyire 
una deiixiafna vaieur, 8xeou5er an m axclusif 
(220) sur au rndins un a partse de iadite premiere 
vaieur de cie (ale 1} at au mojna one partie de 
iadite deu.^eme vaieur afin de ganerer une 
deu^ema vaiaur imermadWa ft), foumlr aa 
rnoine una partie de iadite. oeuxierne vafeur in- 
tarmediaire (X) a una troieieme vaieur aieatoire 
(g) afm da produsre una troiasama miew at pro- 
duira au molns una premiere partie de iadite 
dauxieme vaieur da cjo (de 2) en soumettani au 
mate una pailia ae iadite trefeiame vaieur a m 
on exclusif (240.) avee au mains une part ia de 
iadi?a prarniare vaieur m terrnadiasre (R). 

1 Qt, Syatama eaten ia raveridieation 9, OARACT^^^; 
EN €g 0UE iaedfts circuit de traitemani: sont eon- 
tiguras: pour produira au moins una partie de iadite 
deu>;ieme vaieur interrnadiaira ft) an tent qu'au 
mains una deu^ama partia de iadiie dauxieme va- 
ieur da cie (da S}. 

1 , Verfaiiran ^um limwendein ainaa ersten Scjiiusaei- 
wertes (Schiussai i } tu? ain arstas Kdmmunikatlpns- 
system in ein en zwaitan Schiusseivvert {Sch^ileaei 2) 
sims mBtt&n TaiakorTifnuniKationssyslam^ §^ 
kantsixslehnet &wc& fosgenoe Schritta: 

£rzeugen aines erstan ^wisehenwartas (ft) aus 
mindestene aiham Taii des $ti$tm Sehiussah 
wartas (Sehiussei 1} unter Varwendung aineraf" 
s-en Zufelisfunk^dn {f}; 

Bereiisteifen mmdesten$ eines Tails des ersien 
IWischanwertes (R) fur eina svveite Eufaiisfunk- 
tion {h} 5t!pn Erzaugen aines swajtan Wartas: 
Durcbfuhrsn aiasr ExKiudvan>Qda^Fun^dn 



ia fou-nitura cja iadita dauxiama vaieur interme- 
dialr a da m bits (t) a una troieiam a fenetion aiea- 
toire (g) am de prod ui re une troisiema vafaur de 
n-m b^-s ;: at 

r exec us inn d'un ou exciusff (240) eur iadite troi- 
Bieme veiaur de n-m bits et iadite premiere va- & } 
ieur in termed iei re da n-m bits (B) afin de ganarer 
une premiere partie da n-m bits (V) de: iadite 
deuxieme vaieur da cie (cie 2). 
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(220) an rnir.destsns simm T&if ®mm 
S(M\m^wmtm iB<Mmm 1 ) imd rmrmmm 
einem Ten des zweftan Wertas zum EaeuQm 
sines m&&m Zwiscftstfwertes (T) ; 
Bereitstsiien mindestens sines Teits des swei- 
\m Swischenwertas ft) einfe Mte Ztjfaiis- 
fun mm (0zum&zmgen e*nes dr ittan Wertes; 
und 

Erzeugsn ralndestans asnea ersten Tei& des 
zweilen Scolftsseivvsftas (Bcftidssei E) teoft 
Ourchfuhrea a?nar ExMusfve^Ode^FunKtion 
(240}an mindestens einem Te^d^dntlen W^r- 
tes and roindestens ainem Teiides arsten Zvih 
$ohmwmim {Hi 

vedaftrsn nacn Ansprueh 1, 
4#r<zh feezed miMmtem eines Tails des ^wsiten 
Zwisahenwetfes (T) ais foindestens ein zwslerTeif 
des zweiten Sehiussefwertes (Schiussei 2). 

3>. Vedahren nach A?^spryen i> y^&ann- 
seiche, m& das Erzeugen tolg a^dan Schdtt am- 

im. 

B^itsfellen des srstsn ScnJasselwedes 
(Sehlussei 1} v:on m Bit zu mmr erstea ZufaUs- 
funKtion tftzvm Erzeugend^s emten Zw'isehen- 
wertes (B) von n-rn Bit 

4 Verfahren naeh Anspaiah 3 V s^iiuirsh ^atenjv 
zslch^af, ^aSdte efsien Sendtte des Bereiistehens 
urxi Durertfuftrens fotgendes umfassen: 

Sere*stejlen des erslen n-m-Bit-Ewisc^anwer- 
tes (F>) fur eina awaits 2af&<l&funktk>r* (h) zum 
feeugen eines ^yvsiten m^l5^^WBr^es: Lirtd 
Ourci:v:(j.hferi elrier Exkkisiveri-Ode^FunKtion 
(220) <m dem ersten iTs^Btt-SGhiussefwert 
(Se;hiusse£ 1 } ynd zwe$ter ; m-Sit-W^rt zum £?- 
zeugen das zvyeften MscbeByyertes 0) mif; ai 
Bit, 

£, Verfahten nach Anspruoh 4, d&durcft ipk^r^ 
seSchrastj da&der swejta Schdti des Bereiisteileris 
ura3 der Schdtt des Ereaugens folgendes umMfti 

Bereitsteilerc des zweltea fn-Bft^wisGhsnvvsr" 
*es (T) fur erne drifts ^ufaii^unkte (G). zum Sr> 
zetsgen sines drfen n-ro-SfcWedes; unq 

{240) an dam driven n-ovBti-Weff; und d^m 
sh^n n-m-BI^MiSGhenwsft {BJ sum Er^ug^n 
^hbs er^en n-m-Bit-T^is *,V) 4es m£Mn 

Verfahren r>ach An^p^uch 5. g^k^fs^^i^h^ 
wertes ^) sis :-^mt$r oi-BfcT$i $m mmm 



Sph^ussaiw^s ^Scr>(0ssei 2} mil n Bit. 
?, Ver^ahmn nach Ansprucn 2, g^^n^feh^ 

■$ 

SchlOssaivvertes {Scft(usse( 2} !dr d:s drate Zu- 
iaiMunMon (g) 2iim Erzeugan dss dntten Wsr- 

dumii Ur^teriish^fi des erston Teite (V) des 
mmtm S^IOss^iwertes (Scniussei 2)ein^rEK- 
Hlusiyer^O^^r-FynkSon {260) mil dm &\\m 

w 

VVraiireri nacn AnsprucH 7, w^lte^in ge^s^^ 

2§ug.<3n d$s zwete VVertes aus dem erstea Zwi- 

s§is dwrsft Unterziehen des zweiten Wanes B\mr 
B^mym-Qmr^PufMm (28G) dsns zweiien 
im (T) des zweilen Sdh^ss^iwed^ (Sohluss^l 2). 

9. Schliisse ium wandi ungssysfem zum Umwandeln <$\- 
nes erst^n Sch?uss^vv^rt6s (SchiOss^ i) .fur eih a?- 
stes Kammunlkalidn^systam m mmn ixmMn 
Senipsselwart (Schlo^sel 2} einas sweitan Kommu - 
& nikationssystems, ^8»«^fe^«n«t sSwrch foigen- 

Bear^eitungsschaitun^en^^z Efzaugen asntss 
arsten ZwtS^nahvviert^$ ^R) <jus rnindasfafis at- 
^ nam TV-:ij daa ar-itan Sontassslwartas (Sclilussai 

1) unter Verwsrdung airier arstari Zufallsf unkti^ 
on (f) zur Bereitsteliyng m^ndestens eines Tails 
des ersten Zwischanwertes (R) fdr aisle zwaite 
ZyfailsfunktiDn Ch} ^um Er^eugea ainas sweiien 
^ 0 VVartas, rum OurchUi^mn elner EKklus^ 

van- Oder- Fun k.?ito a (220) an n^ndestens einem 
Tail des ersten Seh&saiwertes (Schlussa{ 1 j 
uad mlndestans einem TaU deScZweitan Wertes 
^un Erseugsn atrnss .^waiien Zwisohenwartas 
«2 (T) } zum BaraitsJ^llan minde^ena ainaa Tails 

des rvveitan Zwischsnwertas (T) fur sine drltte 
Zufa«afi:nkiicn {g) s:um Brzeugen Bine^ dritten 
Wertes und sum Erzeugen mindestans: eineser- 
sfan Tails das zwaiteri Schiuss^ 
sef 2) el^reli linterzie-han mindesfans eines 
Tells dss dattea Wartas elner Exktei- 
ven-Oder-Fy n^ion (240) m?t min^eslens ainem 
Tail das erstan ^yv^oh anwedea (B),. 

"5S td, System nsfch Ansprt^h 9> dadt^ch i@^f>^^^h-^ 
B^t, d?e VarafbaHyngsscha^ud^an sum Ersey • 
gen mindestens eines Tails des zweiten ^wischen- 
wertas (T) als mladeataas sin zwai?erTeif das zwei- 
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ten Schii)sse5wart0S {Scftius^ 2) fcoMgiiri&rt 
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